Comment by thrower123
7 years ago
This is one reason I hate npm. Who really checks that sprawling byzantine dependency tree to make sure that there isn't some micropackage that has a GPL license that could get included and taint the whole thing?
I just have the horrors when I look at the package.json file after the front-end folks have been allowed to run free...
There's tools [0] to help check the licenses of all your dependencies. I think larger companies build up a whitelist of libraries as they're reviewed and approved.
[0] https://github.com/davglass/license-checker
Yep. When I was at IBM, part of releasing something was a review every of dependency and it's license. The stuff I worked on wasn't allowed to include any GPL code. (Or WTFPL, for that matter, but I think that had more to do with curse words than actual license issues.)
Couldn't you just "relicense" WTFPL code as MIT code (or proprietary code, for that matter) and call it a day?
1 reply →
Shouldn't you be more concerned about the quality of the code? If no one has bothered to check the license, I'm sure nobody has studied it for a backdoor.
There are many reasons. That is another huge one.
Most of the time, nobody even is aware that including some new widget code ends up downloading half the internet, making our code size increase, our build times extend, and opening up a huge volume of attack. No one has any idea what dragons might lurk in that mess, or sometimes even that there might be dragons at all.
Shouldn't this be something that npm could support checking as a first class feature?
one can hope that front-end and back-end are truly separated